Running head: FINAL ANALYSIS 1

Final Analysis

Jennifer Simmons

Rasmussen College

CIS4189C#: Risk Management and Business Continuity

Cliff Krahenbill

September 8, 2019

FINAL ANALYSIS 2

Final Analysis

Introduction

According to John Spacey with Simplicable, risk management is the process in which one

identifies, assesses, reduces and accepts risk. (2016) Traditionally this is done by avoiding,

mitigating, transferring, or accepting the risks. Business continuity is often referred to as an

umbrella under which risk management and disaster recovery reside. TechTarget defines business

continuity management as a framework for identifying an organization’s risk of exposure to

threats, both internal and external. Baham et. Al (2017) defines disaster recovery as a subset of

business continuity. This subset focuses on the process of creating and executing a plan for how

an organization can continue operational functions, whether it is partial or complete, after a

disaster or disruption. Disasters can be anything from a natural disaster such as an earthquake or

hurricane, or a manmade disaster such as theft or a terrorist attack.

Risk avoidance is often the quickest and simplest way that an organization can

manage a risk once it’s identified. Avoidance is when the agency chooses not to engage in an

activity or multiple activities in which there is a risk. Risk mitigation is different from avoidance

in which the agency chooses to engage in the risky behavior but decides to make the activity

safer by trying to lessen the impact or risk associated with the activity. This choice is mostly used

when the risk cannot be avoided. Risk transference is often when a business chooses to transfer

the risk from themselves to another agency or organization. Finally, there is risk acceptance. Risk

acceptance usually occurs when an organization analyzes the risk of an activity and finds the

benefit outweighs the associated risk.

IT Risk management is when the principles of risk management are applied to an IT

organization to manage IT-specific risks. Techopedia states that IT risk management aims to

FINAL ANALYSIS 3

manage the risk that comes with owning, operating, adopting, influencing, and being involved

with the use of IT as part of a larger business. This means that the same ideas behind risk

management, avoidance, mitigation, transference, and acceptance, can be applied to the

Information Technology industry and should be taken into account just like it would in any other

industry. CA Technologies, an American multinational software company, calculates that in a

survey of 200 companies in North America and Europe IT downtime cost $150,000 a year for

each company. Additionally, CA Technologies found that, despite IT downtime being a common

and lengthy ordeal, of the 200 companies surveyed, 56% of American and 30% of European

companies do not have a good disaster recovery plan. Baham et. al. (2017) also attributes this

costly experience due to an organization’s dependence on their technological infrastructure. In

the survey by CA Technologies, businesses stated that the IT downtime they experienced cause

substantial damage to their reputations, staff morale, and customer loyalty.

IT Governance and Risk Control Plan

A risk control plan is a plan devised specifically to ensure that any threat, vulnerability,

or loss can be identified and mitigated. Risks can compromise SalusCare’s ability to perform and

function as an organization or cause damage to the organization’s assets. Risk monitoring is

crucial for the success of an organization as it requires the organization to think critically about

the state of the company as a whole. As such, ignoring or disregarding operational risks of any

kind can put the organization, its clients, and its staff at risk. Analyzing, monitoring, and

planning for risk is the best way to protect them.

Information systems.

The following are some risks identified during the risk assessment of the Information Systems

Department:

FINAL ANALYSIS 4

 Email Scams and Attachments – Information Systems

 Theft of Mobile Devices from Remote Employees – Information Systems

 Unauthorized Access to Patient Records – Information Systems

Facilities.

The following is the primary risk identified during the assessment of the Facilities Department:

 Safety Precautions are not Followed – Facilities

Accounting.

The following are some risks identified during the assessment of the Accounting Department:

 Unauthorized Access to Accounting Software – Accounting

 Outgoing Checks do not match bank statements – Accounting

Crisis support.

The following are some risks identified while assessing the Crisis Support Team:

 Patient Violence – Crisis Support

 Imminent Threats from Patients – Crisis Support

Service Level Agreement

This service level agreement (SLA) describes the levels of service that SalusCare (‘the client’) will receive from Entech (‘the supplier’).

This SLA should be read alongside the IT support contract between the client and the supplier. Although the SLA covers key areas of the client’s IT systems and support, the support contract may include areas not covered by this SLA.

Purpose.

The client depends on IT equipment, software and services (together: ‘the IT system’) that are provided, maintained and supported by the supplier. Some of these items are of critical importance to the business.

This service level agreement sets out what levels of availability and support the client is guaranteed to receive for specific parts of the IT system. It also explains what penalties will be applied to the supplier should it fail to meet these levels.

FINAL ANALYSIS 5

This SLA forms an important part of the contract between the client and the supplier. It aims to enable the two parties to work together effectively.

Parties.

This SLA is between:

The client: The supplier: SalusCare 2789 Ortiz Avenue Fort Myers, FL 33905 Key contact: Edmund Kemper

239-875-4589 [email protected]

Entech 12578 Commonwealth Dr Fort Myers, FL 33913 Key contact: Penelope Garcia

239-458-7503 [email protected]

Dates and reviews.

This agreement begins on and will run for a period of 24 months.

It may be reviewed at any point, by mutual agreement. It may also be reviewed if there are any changes to the client’s IT system.

Exclusions.

This SLA is written in a spirit of partnership. The supplier will always do everything possible to rectify every issue in a timely manner.

However, there are a few exclusions. This SLA does not apply to:

 Software, equipment or services not purchased via and managed by the supplier

Additionally, this SLA does not apply when:

 The problem has been caused by using equipment, software or service(s) in a way that is not recommended.

 The client has made unauthorized changes to the configuration or set up of affected equipment, software or services.

 The client has prevented the supplier from performing required maintenance and update tasks.  The issue has been caused by unsupported equipment, software or other services.

This SLA does not apply in circumstances that could be reasonably said to be beyond the supplier’s control. For instance: floods, war, acts of god and so on.

This SLA also does not apply if the client is in breach of its contract with the supplier for any reason (e.g. late payment of fees).

Having said all that, Entech aims to be helpful and accommodating at all times, and will do its absolute best to assist SalusCare wherever possible.

FINAL ANALYSIS 6

Guaranteed uptime.

Uptime levels.

In order to enable the client to do business effectively, the supplier guarantees that certain items will be available for a certain percentage of time.

Measurement and penalties.

Uptime is measured the using supplier’s automated systems, over each calendar month. It is calculated to the nearest minute, based on the number of minutes in the given month (for instance, a 31-day month contains 44,640 minutes).

If uptime for any item drops below the relevant threshold, a penalty will be applied in the form of a credit for the client.

This means the following month’s fee payable by the client will be reduced on a sliding scale.

The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA:

Priority level Penalty per hour (Pro-rated to nearest minute)

1 5% of total monthly fee

2 2% of total monthly fee

3 1% of total monthly fee

Important notes:

 Uptime penalties in any month are capped at 50% of the total monthly fee

 Uptime measurements exclude periods of routine maintenance. These must be agreed between the supplier and client in advance.

Guaranteed response times.

When the client raises a support issue with the supplier, the supplier promises to respond in a timely fashion.

Response times.

The response time measures how long it takes the supplier to respond to a support request raised via the supplier’s online support system.

Response times are measured from the moment the client submits a support request via the supplier’s online support system.

FINAL ANALYSIS 7

Response times apply during standard working hours (9am — 5.30pm) only, unless the contract between the client and supplier specifically includes provisions for out of hours support.

Severity levels.

The severity levels shown in the tables above are defined as follows:

 Fatal: Complete degradation — all users and critical functions affected. Item or service completely unavailable.

 Severe: Significant degradation — large number of users or critical functions affected.

 Medium: Limited degradation — limited number of users or functions affected. Business processes can continue.

 Minor: Small degradation — few users or one user affected. Business processes can continue.

Measurement and penalties.

Important notes:

 Response time penalties in any month are capped at 50% of the total monthly fee.

 Response times are measured during working hours (9am — 5.30pm).

For instance, if an issue is reported at 5.00pm with a response time of 60 minutes, the supplier has until 9.30am the following day to respond.

Resolution times.

The supplier will always endeavor to resolve problems as swiftly as possible. It recognizes that the client’s computer systems are key to its business and that any downtime can cost money.

However, the supplier is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously.

In all cases, the supplier will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the client.

Right of termination.

The supplier recognizes that it provides services that are critical to the client’s business.

If the supplier consistently fails to meet the service levels described in this document, the client may terminate its entire contract with the supplier, with no penalty.

This right is available to the client if the supplier fails to meet these service levels more than five times in any single calendar month.

FINAL ANALYSIS 8

FINAL ANALYSIS 9

References

Baham, C., Hirschheim, R., Calderon, A. A., & Kisekka, V. (2017). An Agile Methodology for the

Disaster Recovery of Information Systems Under Catastrophic Scenarios. Journal of

Management Information Systems,34(3), 633-663. doi:10.1080/07421222.2017.1372996

Harris, C. IT downtime costs $26.5 billion in lost revenue. InformationWeek. 2010. Available at:

http://www.informationweek.com/it-downtime-costs-$265-billion-in-lostrevenue/d/d-

id/1097919?.

Horton, M. (2018, December 20). Common Examples of Risk Management. Retrieved from

https://www.investopedia.com/ask/answers/050715/what-are-some-examples-risk-management-

techniques.asp

Kivisto, A. J. (2015). Violence Risk Assessment and Management in Outpatient Clinical Practice.

Journal of Clinical Psychology, 72(4), 329–349. doi: 10.1002/jclp.22243

Rouse, M., & Goulart, K. (n.d.). What is business continuity management (BCM)? – Definition from

WhatIs.com. Retrieved from https://searchcio.techtarget.com/definition/business-continuity-

management-BCM

Schub, T., & Kornusky, J. (2018). Patient Violence: Risk and Management Strategies in the

Behavioral Healthcare Setting. CINAHL Information Systems.

Shaw, K. (2018, January 23). What is disaster recovery? How to ensure business continuity.

Retrieved from https://www.networkworld.com/article/3411457/what-is-disaster-recovery-how-

to-ensure-business-continuity.html

FINAL ANALYSIS 10

Spacey, J. (2017, February 24). 33 Risk Management Examples. Retrieved from

https://simplicable.com/new/risk-management-examples

Techopedia. (n.d.). What is IT Risk Management? – Definition from Techopedia. Retrieved from

https://www.techopedia.com/definition/25836/it-risk-management

1. Date Field 1:

Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.

About Wridemy

We are a professional paper writing website. If you have searched a question and bumped into our website just know you are in the right place to get help in your coursework. We offer HIGH QUALITY & PLAGIARISM FREE Papers.

How It Works

To make an Order you only need to click on “Place Order” and we will direct you to our Order Page. Fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Are there Discounts?

All new clients are eligible for 20% off in their first Order. Our payment method is safe and secure.

Hire a tutor today CLICK HERE to make your first order